The Society of Automotive Engineers SAE Architecture Analysis

Скачать презентацию The Society of Automotive Engineers SAE Architecture Analysis

6144dbbebc3ea83381e30016ec89ab79.ppt

Количество слайдов: 45

The Society of Automotive Engineers (SAE) Architecture Analysis & Design Language (AADL) Standard An International Industry Standard for Embedded & Real-time Systems Bruce Lewis Chair, SAE AS-2 C Subcommittee Army AMCOM SED bruce. a. lewis@us. army. mil 256 -876 -3224 © 2004 by Carnegie Mellon University Peter Feiler Technical lead, editor Software Engineering Institute phf@sei. cmu. edu 412 -268 -7790

SAE AADL Standard An Enabler of Predictable Model-Based Embedded System Engineering • Notation for specification of task and communication architectures of Real-time, Embedded, Fault-tolerant, Secure, Safety-critical, Software-intensive systems • Fields of application: Avionics, Automotive, Aerospace, Autonomous systems, … • Based on 15 Years of DARPA funded technologies • Standard approved & published Nov 2004 • www. aadl. info © 2004 by Carnegie Mellon University www. aadl. info 2

SAE AS-2 C AADL Subcommittee • Bruce Lewis (US Army AMRDEC): Chair • Peter Feiler (SEI): technical lead, author & editor • Steve Vestal (Honeywell): co-author • Ed Colbert (USC): UML Profile of AADL • Joyce Tokar (Pyrrhus Software): Ada & C Annex Other Voting Members • Boeing, Rockwell, Honeywell, Lockheed Martin, Raytheon, Smith Industries, General Dynamics, Airbus, Axlog, European Space Agency, TNI, Dassault, EADS, High Integrity Solutions Coordination with • NATO Aviation, NATO Plug and Play, French Government COTRE, SAE AS-1 Weapons Plug and Play, OMG UML & Sys. ML © 2004 by Carnegie Mellon University www. aadl. info 3

AADL-Based System Engineering System Integration System Analysis • Schedulability • Performance • Reliability • Fault Tolerance • Dynamic Configurability Architecture Modeling Abstract, but Precise Automatic Target Recognition Guidance & Control Application Software Supply Chain Composable Mechanized Components Sensor Ambulatory & Signal Processing © 2004 by Carnegie Mellon University Software System Engineer • Runtime System Generation • Application Composition • System Configuration Predictive Embedded System Engineering Reduced Development & Operational Cost Execution Platform GPS Information Fusion DB HTTPS Ada Runtime . . Devices www. aadl. info Memory Bus Processor 4

A Partitioned Portable Architecture Application Software Component AADL Runtime System Real-Time Operating System Embedded Hardware Target Strong Partitioning • Timing Protection • OS Call Restrictions • Memory Protection © 2004 by Carnegie Mellon University Interoperability/Portability • Tailored Runtime Executive • Standard RTOS API • Application Components www. aadl. info 5

The AADL Standard • Requirements document SAE ARD 5296 – Input from aerospace industry – Balloted and approved in 2000 • SAE AADL document SAE AS 5506 – Core language published by SAE Nov 2004 • In review to be balloted late 2004 – – Alignment with industry practice Graphical AADL notation UML profile of AADL for UML 1. 4 and UML 2. 0 AADL Meta model, XMI domain model, XML schema Ada and C Annex • In development Key to tool interoperability – Reliability Modeling Annex – Partitioning Annex (ARINC 653) © 2004 by Carnegie Mellon University www. aadl. info 6

AADL: The Language Components with precise semantics – Thread, thread group, process, system, processor, device, memory, bus, data, subprogram Completely defined interfaces & interactions – Data & event flow, synchronous call/return, shared access – End-to-End flow specifications Real-time Task Scheduling – Supports different scheduling protocols incl. GRMA, EDF – Defines scheduling properties and execution semantics Modal, configurable systems – Modes to model transition between statically known states & configurations Component evolution & large scale development support AADL language extensibility © 2004 by Carnegie Mellon University www. aadl. info 7

AADL Language Extensions • New properties through property sets • Sublanguage extension – Annex subclauses expressed in an annex-specific sublanguage • Project-specific language extensions • Language extensions as approved SAE AADL standard annexes • Examples – – Error Model ARINC 653 Partition Behavior Constraint sublanguage © 2004 by Carnegie Mellon University www. aadl. info 8

Two-Tier Tool Strategy • Open Source AADL Tool Environment (OSATE) – – Developed by SEI Low entry cost solution (no cost CPL) Multi-platform support based on Eclipse Vehicle for in-house prototyping of project specific architecture analysis – Vehicle for architecture research with access to industrial models & industry exposure to research results • Commercial Tool Support Artisan, Rational, … – UML tool environment extension based on UML profile – Extension to existing modeling environment with AADL export/import TNI Stood – Analysis tools interfacing via XML or XML to native filter – Runtime system generation tools © 2004 by Carnegie Mellon University www. aadl. info 9

Benefits • Model-based system engineering benefits – – – Analyzable architecture models drive development Predictable runtime characteristics at different modeling fidelity Model evolution & tool-based processing Prediction early and throughout lifecycle Reduced integration & maintenance effort • Benefits of AADL as SAE standard – – – Common modeling notation across organizations Single architecture model augmented with analysis properties Interchange & integration of architecture models Tool interoperability & extensible engineering environments Aligned with UML-based engineering practices © 2004 by Carnegie Mellon University www. aadl. info 10

Two Case Studies • Full-scale analysis & integration – Port of missile guidance system – Tool-supported analysis & generation • Pattern-based analysis of systemic issues – Modernized avionics system architecture – Change in real-time architecture concepts © 2004 by Carnegie Mellon University www. aadl. info 11

Meta. H Case Study at AMCOM • Reengineered Missile Application – Missile on-board software and 6 DOF environment simulation originally in Jovial – Ported to Ada 83, executing on dual i 80960 MC, Tartan Ada, VME Boards – Built to Generic Missile Reference Architecture – Specified in Meta. H, 12 to 16 concurrent processes – Timing analysis early in reengineering effort – Runtime executive generated by Meta. H toolset – Meta. H reduced total re-engineering cost 40% on first project it was used on. Missile prime estimated savings at 66%. © 2004 by Carnegie Mellon University www. aadl. info 12

Meta. H Case Study at AMCOM - 2 • Missile Application ported to a new execution environment – Multiple ports to single and dual processor implementations – New processors (Pentium and Power. PC), compilers, O/S – First time executable, flew correctly on each target environment – Execution platform description and binding specification in Meta. H model – Port of runtime executive virtual machine to new processor & O/S – Ports took a few weeks rather than 10 months © 2004 by Carnegie Mellon University www. aadl. info 13

AMCOM Effort Saved Using Meta. H Total project savings 50%, re-target savings 90% 8000 Retargeting to new execution platform 7000 6000 Man Hours 5000 4000 First integration of reengineered system 3000 Traditional Approach 2000 1000 0 Review 3 -DOF Trans- 6 -DOF late Using Meta. H RT 6 DOF Reengineering & Meta. H model analysis © 2004 by Carnegie Mellon University Current Transform Test 6 DOF RTMissile www. aadl. info Meta. H Build Debug Re-target 14

AADL-Based Pattern Analysis • SAE AADL employs – Components with precisely defined execution semantics – Explicit component interactions – Separation of concerns • Pattern-based architecture analysis approach – – Uses design patterns in analysis Identifies systemic problems early Enables the right choices with confidence Provides analysis-based decisions © 2004 by Carnegie Mellon University www. aadl. info 15

An Avionics System Case Study • Migration from static timeline to preemptive scheduling – Identified issues with shared variable communication – Migration potential from polling tasks to event-driven tasks • Flexibility, predictability & efficiency of port-based communication – Support for deterministic transfer & optimized buffers • Effectiveness of connection & flow semantics – Bridge to control engineers – Insulate from partition scheduling decisions – Support end-to-end latency analysis • Analyzable fault-tolerant redundancy patterns – Orthogonal architecture view without model clutter © 2004 by Carnegie Mellon University www. aadl. info 16

A Naïve Thread-based Design Pr 1 20 Hz Periodic I/O To other Partitions Navigation Sensor Processing Pr 3 Shared data area 10 Hz Integrated Navigation Potential priority inversion due to priority assignment Pr 4 20 Hz Guidance Processing 5 Hz Pr 6 Tasks must complete within frame => cyclic executive behavior Flight Plan Processing Potential non-deterministic communication due to preemption © 2004 by Carnegie Mellon University Decreasing Priority From other Partitions 20 Hz Pr 2 www. aadl. info Pr 9 2 Hz Aircraft Performance Calculation 17

Flight Manager in AADL 20 Hz Nav signal data Navigation Sensor Processing Immediate & delayed data port connections preserve determinism Nav sensor data From Partitions 10 Hz Nav sensor data Integrated Navigation Nav data 20 Hz Guidance Processing AADL connections have precise timing semantics Flight Plan Processing Nav data © 2004 by Carnegie Mellon University Guidance 5 Hz FP data Fuel Flow To Partitions Aircraft Performance Calculation 2 Hz www. aadl. info FP data Performance data 18

Command Flow Timing Cockpit Display Sampling of input Display Manager Partition latency imposes lower latency bound Page Content Manager Flight Manager © 2004 by Carnegie Mellon University Cross-partition communication assumed to be a frame boundary Flight Director www. aadl. info 19

Redundancy Specification • Redundancy abstraction • Co-location constraints on execution platform binding 2 X SS 1 1553 4 X WM MFD DM 1 WAM MFD DM 2 FM 2 X 2 X SS 2 PCM SA CM FD © 2004 by Carnegie Mellon University Redundancy characteristics as properties www. aadl. info MFD DM 3 MFD DM 4 21

Primary/Backup Patterns Passive Backup Hot Standby CSS 1 Primary SS 1. 1 SS 1. 2 Continuous State Exchange CSS 1. 1 State SS 1. 2 CSS 1 Backup SS 1. 1 SS 1. 2 Voted Output CSS 1. 2 SS 1. 3 © 2004 by Carnegie Mellon University www. aadl. info 22

AADL In Use • • Examples of system modeling & analysis Modeling of reference architectures Verification of system architectures SBIR & STTR projects © 2004 by Carnegie Mellon University www. aadl. info 23

Example Annex Extension THREAD t FEATURES sem 1 : DATA ACCESS semaphore; sem 2 : DATA ACCESS semaphore; END t; THREAD IMPLEMENTATION t. t 1 PROPERTIES Period => 13. 96 ms; cotre: : Priority => 1; cotre: : Phase => 0. 0 ms; Dispatch_Protocol => Periodic; COTRE thread properties ANNEX cotre. behavior {** STATES s 0, s 1, s 2, s 3, s 4, s 5, s 6, s 7, s 8 : STATE; s 0 : INITIAL STATE; TRANSITIONS s 0 -[ ]-> s 1 { PERIODIC_WAIT }; s 1 -[ ]-> s 2 { COMPUTATION(1. 9 ms, 1. 9 ms) }; s 2 -[ sem 1. wait ! (-1. 0 ms) ]-> s 3; s 3 -[ ]-> s 4 { COMPUTATION(0. 1 ms, 0. 1 ms) }; s 4 -[ sem 2. wait ! (-1. 0 ms) ]-> s 5; s 5 -[ ]-> s 6 { COMPUTATION(2. 5 ms, 2. 5 ms) }; s 6 -[ sem 2. release ! ]-> s 7; s 7 -[ ]-> s 8 { COMPUTATION(1. 5 ms, 1. 5 ms) }; s 8 -[ sem 1. release !]-> s 0; **); END t. t 1; COTRE behavioral annex Courtesy of © 2004 by Carnegie Mellon University www. aadl. info 34

A Research Transition Platform • SBIR contract requires use of AADL – Eglin AFB, 21 st Century Systems – Weapons Plug’n’Play compatibility analysis • STTR contract uses AADL – U. Penn, Fremont Associates – Map hybrid control system language (Charon) into AADL © 2004 by Carnegie Mellon University www. aadl. info 37

Two-Tier Tool Strategy • Open Source AADL Tool Environment (OSATE) – – Developed by SEI Low entry cost solution (no cost CPL) Multi-platform support based on Eclipse Vehicle for in-house prototyping of project specific architecture analysis – Vehicle for architecture research with access to industrial models & industry exposure to research results • Commercial Tool Support – UML tool environment extension based on UML profile – Extension to existing modeling environment with AADL export/import – Analysis tools interfacing via XML or XML to native filter – Runtime system generation tools © 2004 by Carnegie Mellon University www. aadl. info 38

XML-Based Tool Integration Strategy AADL Front-end Textual AADL Graphical AADL Semantic Checking Graphical Layout Model Declarative AADL Model AADL Instance Model Scheduling Analysis Commercial Tool Reliability Analysis AADL Runtime Generator Safety Analysis Research prototype © 2004 by Carnegie Mellon University www. aadl. info Project-Specific In-House 39

OSATE Capabilities • • • OSATE Release 0. 4. 0 based on Eclipse Release 3 Online AADL help Over 250 downloads internationally Text to XML & XML to text Syntax-sensitive text editor Parsing & semantic checking of full AADL property viewer Processed 21000 line Syntax-Sensitive AADL Object Editor model in 20 sec AADL Model versioning & team support Model instantiation Model consistency checking AADL to Meta. H translator Next release Jan 2005 Graphical editor Plug-in development © 2004 by Carnegie Mellon University Multi-file support www. aadl. info 40

OSATE Plug-in Extensions OSATE Textual AADL, Graphical AADL XML/XMI AADL, AADL object model API AADL extension support EMF AADL Front-end XML/XMI, Metamodel Text editor Change notification Object editor Multi-file support Graphical editor Text<->XML Eclipse Semantics Platform independence Extensible help Task & Problem Mgt Team support Plug-in development External Models External tools © 2004 by Carnegie Mellon University Architecture Import Simulink/Matlab model Extraction via SVM Architecture Export Meta. H Architecture Analysis Security level Data stream miss rate Latency Architecture Consistency Required connectivity Model completeness profiles Connectivity cycles OSATE Extensions Analysis template Generation template Architecture Transform AADL Semantic API Conceptual architecture -> Runtime architecture Model Transformation Rate group optimization Timing analysis (RMA) Port group identification www. aadl. info 41

OSATE Plug-in Development • Four part presentation series – Dec 2004 & Jan 2005 – VTC, Webcast, telecon, video taped – Participants included • • Airbus Industries, ENST, Axlog, TNI France European Space Agency Netherlands EADS Germany US Army AMRDEC Lockheed Martin, Rockwell Collins, Honeywell USC, University of Pennsylvania 21 st Century Systems, Pyrrusoft Bosch • OSATE Plug-in Development Guide © 2004 by Carnegie Mellon University www. aadl. info 42

A Technology Transition Enabler • Industry standard architecture modeling notation & model interchange format facilitates – Interchange of architecture models between contractors & subcontractors – Integration of architecture models for system of systems analysis – Common architecture model for non-functional system property analysis from different perspectives – Interoperability of modeling, analysis, and generation tools – Platform for research & prototyping of new architecture analysis techniques © 2004 by Carnegie Mellon University www. aadl. info 44

Benefits • Model-based system engineering benefits Predictable runtime characteristics addressed early and throughout life cycle greatly reduces integration and maintenance effort • Benefits of AADL as SAE standard AADL as standard provides confidence in language stability, broad adoption, and strong tool support © 2004 by Carnegie Mellon University www. aadl. info 45